Creating an L7 load balancer in Application Load Balancer with a Smart Web Security profile through Terraform
To create an L7 load balancer with a Smart Web Security profile through Terraform:
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up in Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or register a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Required paid resources
The infrastructure support costs for an L7 load balancer with a Smart Web Security profile include:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using the computing resources of the L7 load balancer (see Application Load Balancer pricing).
- Fee for requests processed by security profile rules (see Yandex Smart Web Security pricing).
Create an infrastructure
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the documentation on the Terraform website or mirror website.
To create an infrastructure using Terraform:
-
Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, Step 1).
-
Prepare your infrastructure description files:
Ready-made configurationManually-
Clone the repository with configuration files.
git clone https://github.com/yandex-cloud-examples/yc-alb-with-sws-profile.git -
Navigate to the repository directory. Make sure it contains the following files:
alb-smartwebsecurity-config.tf: New infrastructure configuration.alb-smartwebsecurity.auto.tfvars: User data file.
- Create a folder for configuration files.
- In the folder, create:
-
alb-smartwebsecurity-config.tfconfiguration file:alb-smartwebsecurity-config.tf
# Declaring variables with sensitive data variable "folder_id" { type = string } variable "vm_user" { type = string } variable "ssh_key_path" { type = string } variable "allowed_ip" { type = string } # Adding other variables locals { zone = "ru-central1-a" network_name = "web-network" subnet_name = "subnet1" sg_vm_name = "sg-web" vm_name = "test-vm1" vm_image_family = "lemp" } # Configuring a provider terraform { required_providers { yandex = { source = "yandex-cloud/yandex" version = ">= 0.47.0" } } } provider "yandex" { folder_id = var.folder_id } # Creating a cloud network resource "yandex_vpc_network" "network-1" { name = local.network_name } # Creating a subnet resource "yandex_vpc_subnet" "subnet-1" { name = local.subnet_name v4_cidr_blocks = ["192.168.1.0/24"] zone = local.zone network_id = yandex_vpc_network.network-1.id } # Creating a security group resource "yandex_vpc_security_group" "sg-1" { name = local.sg_vm_name network_id = yandex_vpc_network.network-1.id egress { protocol = "ANY" description = "any" v4_cidr_blocks = ["0.0.0.0/0"] from_port = 1 to_port = 65535 } ingress { protocol = "TCP" description = "ext-http" v4_cidr_blocks = ["0.0.0.0/0"] port = 80 } ingress { protocol = "TCP" description = "ext-https" v4_cidr_blocks = ["0.0.0.0/0"] port = 443 } ingress { protocol = "TCP" description = "healthchecks" predefined_target = "loadbalancer_healthchecks" port = 30080 } } # Adding a prebuilt VM image resource "yandex_compute_image" "lamp-vm-image" { source_family = local.vm_image_family } resource "yandex_compute_disk" "boot-disk" { name = "bootvmdisk" type = "network-hdd" zone = local.zone size = "20" image_id = yandex_compute_image.lamp-vm-image.id } # Creating a VM instance resource "yandex_compute_instance" "vm" { name = local.vm_name platform_id = "standard-v3" zone = local.zone resources { core_fraction = 20 cores = 2 memory = 1 } boot_disk { disk_id = yandex_compute_disk.boot-disk.id } network_interface { subnet_id = yandex_vpc_subnet.subnet-1.id nat = true security_group_ids = [yandex_vpc_security_group.sg-1.id] } metadata = { user-data = "#cloud-config\nusers:\n - name: ${var.vm_user}\n groups: sudo\n shell: /bin/bash\n sudo: 'ALL=(ALL) NOPASSWD:ALL'\n ssh_authorized_keys:\n - ${file("${var.ssh_key_path}")}" } } # Creating a security profile resource "yandex_sws_security_profile" "demo-profile-simple" { name = "test-profile" default_action = "DENY" # Smart Protection rule with full protection security_rule { name = "smart-protection" priority = 999900 smart_protection { mode = "FULL" } } # Basic rule, allows traffic from the specified IP address without checking by the Smart Protection rule security_rule { name = "my-rule" priority = 999800 rule_condition { action = "ALLOW" condition { source_ip { ip_ranges_match { ip_ranges = [var.allowed_ip] } } } } } } # Creating a target group resource "yandex_alb_target_group" "foo" { name = "test-target-group" target { subnet_id = yandex_vpc_subnet.subnet-1.id ip_address = yandex_compute_instance.vm.network_interface.0.ip_address } } # Creating a backend group resource "yandex_alb_backend_group" "alb-bg" { name = "test-backend-group" http_backend { name = "backend-1" port = 80 target_group_ids = [yandex_alb_target_group.foo.id] healthcheck { timeout = "10s" interval = "2s" healthcheck_port = 80 http_healthcheck { path = "/" } } } } # Creating an HTTP router resource "yandex_alb_http_router" "alb-router" { name = "test-http-router" } resource "yandex_alb_virtual_host" "alb-host" { name = "test-virtual-host" http_router_id = yandex_alb_http_router.alb-router.id authority = ["*"] route { name = "route-1" http_route { http_route_action { backend_group_id = yandex_alb_backend_group.alb-bg.id } } } route_options { security_profile_id = yandex_sws_security_profile.demo-profile-simple.id } } # Creating an L7 load balancer resource "yandex_alb_load_balancer" "sws-balancer" { name = "test-load-balancer" network_id = yandex_vpc_network.network-1.id security_group_ids = [yandex_vpc_security_group.sg-1.id] allocation_policy { location { zone_id = local.zone subnet_id = yandex_vpc_subnet.subnet-1.id } } listener { name = "listener" endpoint { address { external_ipv4_address { } } ports = [80] } http { handler { http_router_id = yandex_alb_http_router.alb-router.id } } } } -
alb-smartwebsecurity.auto.tfvarsuser data file:alb-smartwebsecurity.auto.tfvars
folder_id = "<folder_ID>" vm_user = "<VM_user_name>" ssh_key_path = "<path_to_public_SSH_key>" allowed_ip = "<allowed_IP_address_of_device>"
-
Learn more about the properties of Terraform resources in the provider documentation:
- Network: yandex_vpc_network.
- Subnets: yandex_vpc_subnet.
- Security groups: yandex_vpc_security_group.
- VM image: yandex_compute_image.
- Backend group: yandex_alb_backend_group.
- HTTP router: yandex_alb_http_router.
- Virtual host: yandex_alb_virtual_host.
- L7 load balancer: yandex_alb_load_balancer.
- Security profile: yandex_sws_security_profile.
-
-
In the
alb-smartwebsecurity.auto.tfvarsfile, set the following user-defined properties:folder_id: Folder IDvm_user: VM user name.ssh_key_path: Path to the file with the public SSH key. For more information, see this Creating an SSH key pair article.allowed_ip: Public IP address of the device that will be sending requests to the L7 load balancer.
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validateIf the configuration is correct, the following message is returned:
Success! The configuration is valid. -
Run the command:
terraform planThe terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesin the terminal and press Enter.
-
-
Get an IP address for your L7 load balancer: you will need it later to test the security profile.
After you create the infrastructure, test the security profile.
Test the security profile
-
Open the terminal on the device whose IP address you specified in the allow rule.
-
Send a request to the backend of the test application:
curl --verbose <public_IP_address_of_L7_load_balancer>This command should list the contents of the directory with your test web server.
-
Repeat the request from a different IP address. As a result, you should see a message about a failure to establish a connection to the server.
Note
Smart Protection rules are usually not tested. Such tests would add the parameters of suspicious requests, e.g., IP addresses, to a blacklist.
How to delete the resources you created
To stop paying for the resources you created:
-
Open the
alb-smartwebsecurity-config.tfconfiguration file and delete the description of the new infrastructure from it. -
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validateIf the configuration is correct, the following message is returned:
Success! The configuration is valid. -
Run the command:
terraform planThe terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesin the terminal and press Enter.
-